Elliptic Nets and Points on Elliptic Curves

Geometry and Recurrence Sequences From Sequences to Nets Pairings Summary

Katherine Stange

Department of Mathematics Brown University http://www.math.brown.edu/~stange/

Algorithmic Number Theory, Turku, Finland, 2007

Katherine Stange Elliptic Nets and Points on Elliptic Curves Geometry and Recurrence Sequences From Sequences to Nets Pairings Summary Outline

1 Geometry and Recurrence Sequences A Motivating Example Elliptic Divisibility Sequences

2 From Sequences to Nets Generalising Sequences Elliptic Nets Primes in Elliptic Nets Periodicity Properties 3 Pairings Removing the Problem of Bases Tate and Weil Pairings Algorithms

Katherine Stange Elliptic Nets and Points on Elliptic Curves Geometry and Recurrence Sequences From Sequences to Nets A Motivating Example Pairings Elliptic Divisibility Sequences Summary Divisibility in Linear Recurrences

Consider an integer linear recurrence of the form

L0 = 0; L1 = 1; Ln = aLn−1 − Ln−2

Theorem (Divisibility Property)

If n|m then Ln|Lm.

Proof. Let α be a root of x2 − ax + 1 = 0. Then αn − α−n L = Φ (α) := . n n α − α−1

The function xn − x−n Φ (x) = n x − x−1

is the function on Gm with simple zeroes at the 2n-torsion points besides 1 and -1.

p Q(α) Reducing modulo p, we obtain Gm over Fq. | | 2 The image αe has some ﬁnite order np. p Q For all k, Φknp (α) ≡ 0 mod p. Divisibility Restated (Almost)

For each prime p there is a positive integer np such that

Ln ≡ 0 mod p ⇐⇒ np|n

The geometry gives meaning to the statement that p|Ln.

It also tells us more: e.g. np|q − 1.

Example

The even-index Fibonaccis satisfy Fn = 3Fn−1 − Fn−2. They are

1, 3, 8, 21, 55, 144, 377,...

The prime 7 appears ﬁrst at index 4|72 − 1. The prime 11 appears ﬁrst at index 5|11 − 1.

Deﬁnition

A sequence hn is an elliptic divisibility sequence if for all positive integers m > n,

2 2 2 hm+nhm−nh1 = hm+1hm−1hn − hn+1hn−1hm .

Generated by initial conditions h0,..., h4 via the recurrence.

Necessarily h0 = 0; by convention h1 = 1.

If initial terms are integers and h2|h4, then the sequence is entirely integer and satisﬁes the divisibility property.

Deﬁnition Let σ be the Weierstrass sigma function associated to the complex uniformization of an elliptic curve.

σ(nz) Ψn(z) = σ(z)n2

Elliptic functions. Simple zeroes at non-zero n-torsion points.

Theorem (M. Ward, 1948)

Let E be an elliptic curve deﬁned over Q with lattice Λ ⊂ C, and let u ∈ C correspond to a rational point P on E. Then

hn := Ψn(u)

forms an elliptic divisibility sequence.

We call this the sequence associated to E, P.

P = (0, 0) h1 = 1 [2]P = (3, 5) h2 = 1 11 28 [3]P = − , h = −3 9 27 3 114 267 [4]P = , − h = 11 121 1331 4 2739 77033 [5]P = − , − h = 38 1444 54872 5 89566 31944320 [6]P = , − h = 249 62001 15438249 6 2182983 20464084173 [7]P = − , − h = −2357 5555449 13094193293 7

Points on the curve have the form

a b [ ] = n , n n P 2 3 hn hn

The sequences an and bn can be calculated from hn. The point [n]P can be recovered from hn−2, hn−1, hn, hn+1, hn+2. Lesson 1 The recurrence calculates the group law (for multiples of P).

Applications to Elliptic Curve Discrete Logarithm Problem in cryptography (R. Shipsey) Finding integral points (M. Ayad) Primes in EDS (G. Everest, J. Silverman, T. Ward, ...) EDS are a special case of Somos Sequences (A. van der Poorten, J. Propp, M. Somos, C. Swart, ...) p-adic and function ﬁeld cases (J. Silverman) Continued fractions and elliptic curve group law (W. Adamas, A. van der Poorten, M. Razar) Sigma function perspective (A. Hone, ...) Hyper-elliptic curves (A. Hone, A. van der Poorten, ...) More...

Katherine Stange Elliptic Nets and Points on Elliptic Curves Geometry and Recurrence Sequences Generalising Sequences From Sequences to Nets Elliptic Nets Pairings Primes in Elliptic Nets Summary Periodicity Properties Can we do more?

The elliptic divisibility sequence is associated to the sequence of points [n]P on the curve.

[n]P ↔ hn The Mordell-Weil group of an elliptic curve may have rank > 1. We might dream of ...

[n]P + [m]Q ↔ hn,m

Deﬁnition (KS) Let R be an integral domain, and A a ﬁnite-rank free abelian group. An elliptic net is a map W : A → R such that the following recurrence holds for all p, q, r, s ∈ A.

W (p + q + s)W (p − q)W (r + s)W (r) + W (q + r + s)W (q − r)W (p + s)W (p) + W (r + p + s)W (r − p)W (q + s)W (q) = 0

The recurrence generates the full array from ﬁnitely many initial values. The recurrence implies the elliptic divisibility sequence recurrence for A = Z.

Note We will specialise to rank(A) = 2 for the remainder of this talk.

All results hold for general rank. The rank 1 case is the theory of elliptic divisibility sequences. Results stated for Q and Z hold generally for number ﬁelds. In fact, with more work, many of the same results hold for any ﬁeld.

Elliptic Functions Ψn,m

Deﬁnition (KS) Fix a lattice Λ ∈ C corresponding to an elliptic curve E. For each pair (n, m) ∈ Z × Z, deﬁne a function Ψn,m on C × C in variables z and w: σ(nz + mw) Ψn,m(z, w) = σ(z)n2−nmσ(z + w)nmσ(w)m2−nm

These functions are elliptic in each variable. The function is zero if nz + mw = 0.

Theorem (KS) Let E be an elliptic curve deﬁned over Q, σ : C → C its Weierstrass sigma function, and let u, v ∈ C correspond to rational points P, Q on E. Then

W (n, m) := Ψn,m(u, v)

forms an elliptic net.

We call this the elliptic net associated to the curve E and points P, Q. We call P, Q the basis of the elliptic net.

4335 5959 12016 −55287 23921 1587077 −7159461 94 479 919 −2591 13751 68428 424345 −31 53 −33 −350 493 6627 48191 −5 8 −19 −41 −151 989 −1466 1 3 −1 −13 −36 181 −1535 1 1 2 −5 7 89 −149 ↑ 0 1 1 −3 11 38 249 Q P →

E : y 2 + y = x3 + x2 − 2x; P = (0, 0), Q = (1, 0)

We wish to show that the elliptic net associated to E, P1, P2 reduced modulo a prime p will be the elliptic net associated to the mod-p-reduced curve and points Ee, Pe1, Pe2.

This requires showing the the net functions Ψv can be reduced modulo p. We can obtain a nice polynomial form for them.

1-D Case: Division Polynomials E : y 2 = x3 + Ax + B, P = (x, y)

4 2 2 Ψ1 = 1, Ψ2 = 2y, Ψ3 = 3x + 6Ax + 12Bx − A , 6 4 3 2 2 2 3 Ψ4 = 4y(x + 5Ax + 20Bx − 5A x − 4ABx − 8B − A ) .

Theorem (KS)

The net functions Ψv can be expressed as polynomials in the ring

2 1 D 2 3 E Z[A, B] x1, y1, x2, y2, / yi − xi − Axi − B . x1 − x2 i=1

Example

2 y2 − y1 Ψ2,1 = 2x1 + x2 − , Ψ−1,1 = x1 − x2 , x2 − x1 2 2 Ψ2,−1 = (y1 + y2) − (2x1 + x2)(x1 − x2) .

Theorem (KS)

Consider points P1, P2 ∈ E(Q) such that the reductions modulo 2 p of the ±Pi are all distinct and nonzero. Then for each v ∈ Z there exists a function Ωv such that the following diagram commutes: Ψv E2(Q) / P1(Q)

δ δ Ω 2 v 1 Ee (Fp) / P (Fp) ∗ Furthermore div(Ωv) = δ div(Ψv).

As in the motivational example,

p|W (m, n) ⇐⇒ mP + nQ ≡ 0 mod p

The terms of a net divisible by a given prime p form a sublattice of A. Lesson 2 Elliptic nets calculate the order of points modulo p.

If P is an n-torsion point, W is the elliptic net associated to E, P, then

W (n + k) is not necessarily equal to W (k) .

Example 2 3 2 E : y + y = x + x − 2x over F5. P = (0, 0) has order 9. The associated sequence is 0, 1, 1, 2, 1, 3, 4, 3, 2, 0, 3, 2, 1, 2, 4, 3, 4, 4, 0, 1, 1, 2, 1, 3, 4,...

Theorem (M. Ward, 1948) Let W be an elliptic divisibility sequence, and p ≥ 3 a prime not dividing W (2)W (3). Let r be the least positive integer such that W (r) ≡ 0 mod p. Then there exist integers a, b such that for all n, 2 W (kr + n) ≡ W (n)ank bk mod p .

2 3 2 Example (E : y + y = x + x − 2x, P = (0, 0) over F5) 0, 1, 1, 2, 1, 3, 4, 3, 2, 0, 3, 2, 1, 2, 4, 3, 4, 4, 0, 1, 1, 2, 1, 3, 4,... W (9k + n) ≡ W (n)4nk 2k 2 mod 5 W (10) ≡ 3W (1) mod 5 k = 2 : W (18 + n) ≡ W (n)42n24 ≡ W (n) mod 5

0 4 4 3 1 2 4 4 4 4 4 1 3 0 4 3 2 0 3 2 1 The appropriate periodicity 0 3 1 4 4 4 4 property should tell how to 1 3 4 2 4 1 0 obtain the green values from the blue values. 1 1 2 0 2 4 1 ↑ 0 1 1 2 1 3 4 Q P →

Theorem (KS) Let W be an elliptic net such that W (2, 0)W (0, 2) 6= 0. Suppose W (r1, r2) and W (s1, s2) are trivial modulo p. Then there exist integers as, bs, cs, ar , br , cr , d such that for all m, n, k, l ∈ Z,

W (kr1 + ls1 + m, kr2 + ls2 + n) km kn k 2 lm ln l2 kl ≡ W (m, n)ar br cr as bs cs d mod p

0 4 4 3 1 2 4 4 4 4 4 1 3 0 a = 2, b = 2, c = 1 4 3 2 0 3 2 1 r r r 0 3 1 4 4 4 4 W (5, 4) ≡ W (1, 2)212211 1 3 4 2 4 1 0 ≡ 3W (1, 2) mod 5 1 1 2 0 2 4 1 ↑ 0 1 1 2 1 3 4 Q P →

Katherine Stange Elliptic Nets and Points on Elliptic Curves Geometry and Recurrence Sequences Removing the Problem of Bases From Sequences to Nets Tate and Weil Pairings Pairings Algorithms Summary The Basis of an Elliptic Net

If Wi is the elliptic net associated to E, Pi , Qi for i = 1, 2, and a1P1 + b1Q1 = a2P2 + b2Q2 then

W1(a1, b1) is not necessarily equal to W2(a2, b2) .

The net is not a function on points of E(K ). The net is associated to a basis, not a subgroup. There is a basis change formula.

Let K be a finite or number field. Let Eˆ be any finite rank free abelian group surjecting onto E(K ).

π : Eˆ → E(K )

ˆ For a basis P1, P2, choose pi ∈ E such that π(pi ) = Pi . We specify an identiﬁcation

2 ∼ Z = hp1, p2i

via ei 7→ pi . The elliptic net W associated to E, P1, P2 and defined on 0 Z2 is now identified with an elliptic net W defined on Eˆ . This allows us to compare elliptic nets associated to different bases. Katherine Stange Elliptic Nets and Points on Elliptic Curves Geometry and Recurrence Sequences Removing the Problem of Bases From Sequences to Nets Tate and Weil Pairings Pairings Algorithms Summary Defining a Special Equivalence Class

Deﬁnition ∗ Let W1, W2 be elliptic nets. Suppose α, β ∈ K , and f : A → Z is a quadratic form. If

f (v) W1(v) = αβ W2(v)

for all v, then we say W1 is equivalent to W2.

The basis change formula is an equivalence, when the elliptic nets are viewed as maps on Eˆ as explained in the previous slide. In this way, we can associate an equivalence class to a subgroup of E(K ).

+ Choose m ∈ Z . Let E be an elliptic curve defined over a field K containing the m-th roots of unity. Suppose P ∈ E(K )[m] and Q ∈ E(K )/mE(K ). Since P is an m-torsion point, m(P) − m(O) is a principal divisor, say div(fP ). Choose another divisor DQ defined over K such that DQ ∼ (Q) − (O) and with support disjoint from div(fP ). Then, we may define the Tate pairing

∗ ∗ m τm : E(K )[m] × E(K )/mE(K ) → K /(K )

by τm(P, Q) = fP (DQ) . It is well-deﬁned, bilinear and Galois invariant.

For P, Q ∈ E(Q)[m], the more well-known Weil pairing can be computed via two Tate pairings:

−1 em(P, Q) = τm(P, Q)τm(Q, P) .

It is bilinear, alternating, and non-degenerate.

Theorem (KS - Lesson 3)

Fix a positive m ∈ Z. Let E be an elliptic curve defined over a finite field K containing the m-th roots of unity. Let P, Q ∈ E(K ), with [m]P = O. Choose S ∈ E(K ) such that S ∈/ {O, −Q}. Choose p, q, s ∈ Eˆ such that π(p) = P, π(q) = Q and π(s) = S. Let W be an elliptic net associated to a subgroup of E(K ) containing P, Q, and S. Then the quantity

W (s + mp + q)W (s) T (P, Q) = m W (s + mp)W (s + q)

is the Tate pairing.

Choosing W to be the net associated to E, P and letting p = q = s, the periodicity relations give

W (m + 2) W (1) τ (P, P) = m W (2) W (m + 1) = (a2b)(ab)−1 = a

So the values needed for the periodicity relations are

2 m a = τm(P, P), b = a

A similar statement holds for elliptic nets in general. The Tate pairing governs the periodicity relations!

Corollary Let E be an elliptic curve defined over a finite field K , m a positive integer, P ∈ E(K )[m] and Q ∈ E(K ). If WP is the elliptic net associated to E, P, then

WP (m + 2)WP (1) τm(P, P) = . WP (m + 1)WP (2)

Further, if WP,Q is the elliptic net associated to E, P, Q, then

WP,Q(m + 1, 1)WP,Q(1, 0) τm(P, Q) = . WP,Q(m + 1, 0)WP,Q(1, 1)

(k-1,1) (k,1) (k+1,1)

(k-3,0) (k-2,0) (k-1,0) (k,0) (k+1,0) (k+2,0) (k+3,0) (k+4,0)

Figure: A block centred at k

Block centred at k pp NNN ppp NNN ppp NNN xppp NN& Block centred Block centred at 2k at 2k + 1

Katherine Stange Elliptic Nets and Points on Elliptic Curves Geometry and Recurrence Sequences From Sequences to Nets Pairings Summary Summary

The arithmetic of elliptic curves is reﬂected in elliptic divisibility sequences and more generally in elliptic nets. Elliptic nets contain information about group law, reduction modulo p and pairings on the curve. Group law, reduction and pairing computations can be done via the recurrence.

Katherine Stange Elliptic Nets and Points on Elliptic Curves Appendix For Further Reading

For Further Reading I

G. Everest, A. van der Poorten, I. Shparlinsky, T. Ward. Recurrence Sequences. Mathematical Surveys and Monographs, vol 104. American Mathematical Society, 2003. M. Ward. Memoir on Elliptic Divisibility Sequences. American Journal of Mathematics, 70:13–74, 1948. K. Stange. The Tate Pairing via Elliptic Nets. To appear in PAIRING 2007, Springer Lecture Notes in Computer Science. Slides and Preprint at http://www.math.brown.edu/~stange/

Katherine Stange Elliptic Nets and Points on Elliptic Curves